[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

PJ Eby pje at telecommunity.com
Tue Mar 12 18:54:25 CET 2013


On Tue, Mar 12, 2013 at 1:33 PM, Jesse Noller <jnoller at gmail.com> wrote:
> There's not much to understand: external hosting of packages is *actively harmful*, period. End users of easy_install and pip *don't even realize* 99% of the time that these tools are following links off of PyPi and installing packages from random, probably insecure/non https locations all over the internet. Once they realize it they recoil in terror if they have any understanding of the implications.

This is a rationale for secure defaults for various options, like the
ones I outlined in the portions of my post that you *didn't* quote.

It's not a rationale for removing the options themselves.


More information about the Catalog-SIG mailing list